Is your business ready for POPI?
South African businesses are not ready for the looming implementation of the Protection of Personal Information Act (POPI), according to auditing firm Grant Thornton.
The POPI Act, which was gazetted in December last year, and which is currently awaiting an effective date, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected.
The new Act also provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
Michiel Jonker, director: IT Advisory at Grant Thornton, says that, based on feedback which they had received from the business community, it is clear that most organisations are still not ready to implement the ground-breaking legislation.
“There are many experts such as IT security consultants we deal with every day who say that South Africa is not ready for POPI and that it’s not going to work. They say even some of the big corporate players are at different levels of compliance or not ready to implement it at all,” said Jonker.
Jonker said one of the reasons for this is that South Africa does not have the privacy culture of the more developed countries.
“We see all the time how passwords and the like go unprotected. Security cameras record personal information without securing permission or issuing a warning to those affected.”
“The African continent as a whole is not geared for this level of privacy protection – we’re in survival mode and some believe that we are therefore not in a space to implement this complex legislation yet,” said Jonker.
While POPI has many benefits such as compliance with international standards that could lead to greater investment opportunities, going both sides, the costs of implementing POPI will place significant cost pressures on big business, says Jonker, due to the extra layer of administration that compliance requires.
These costs include the employment of additional specialised personnel, including expensive and highly-skilled privacy officers, the contracting of IT and business auditing service providers; and the need for specialist legal consultants for the review of all existing agreements which the company has with third parties.
In addition to the rising cost of doing business, companies are also faced with the potential of multi-million rand monetary fines, civil claims and reputational damage – if found guilty of POPI transgressions.
Lucien Pierce, legal partner from Phukubje Pierce Masithela Attorneys who collaborates with Grant Thornton on POPI matters and other items, says that the introduction of POPI could lead to significant fines for companies who are found to have had data breaches.
“Take Zurich Insurance as an example. The local subsidiary of the company experienced a data leak in 2008 in which they lost the data of more than 40,000 clients when the South African branch of the company lost an unencrypted back-up tape during a routine transfer to a data storage centre,” Pierce said.
“While the implication for the South African subsidiary was minimal, the UK’s Financial Services Authority imposed a 2 million British pounds fine on the UK office of the company due to the POPI-like legislation that was already in place in Europe.”
More recently one could look at Google as another example, Pierce said. “The company has been criticised and fined for what European Union member states consider consistent breaches of data protection legislation.”
“While South Africa does not yet have comparable historic data, these case studies are measures and direct comparisons that you could draw between the EU and here.”
Most at risk in South Africa are big corporate organisations dealing with sensitive information, says Jonker, because they will have to prove to the regulatory body that they took appropriate steps to offset any potential data breaches.
“A mom-and-pop shop with a few customers may need to implement basic security, but a huge medical aid entity with thousands of members, dealing with very sensitive information, will need a much bigger team of specialists and advisors,” added Pierce.
“Every business has to prove that they did what the ‘reasonable person’ would have done, considering financial constraints; the sensitivity of the data they collect, process and store; the industry standards and expectations and best practices, generally accepted by the international community.”
Loading ...